Firefox maker Mozilla plans to distrust new digital certificates from WoSign, the Chinese certificate authority (CA) that issued bogus HTTPS certificates for GitHub. Mozilla has also proposed ousting Israel-based CA StartCom, which WoSign acquired in November 2015.
In a lengthy analysis posted to Google Docs, the company says “Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA. Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands.”
That investigation follows on from 13 big issues Mozilla outlines on its Mozilla Wiki a few weeks ago.
The 13 issues include, but are not limited to:
- “WoSign issued two certificates in March 2015. These certificates are identical in all ways (including their serial numbers) except for their notBefore dates, which are 37 seconds apart“
- “On April 3rd, 2015, WoSign was contacted by Google, who were concerned about Baseline Requirements violations in recently-issued certificates from WoSign. Instead of specifying the violations directly, Google asked WoSign to check their certificates against their CPS.”
- “WoSign has issued two pairs of intermediates with the same issuer duplicate serial numbers – one pair with a notBefore in May 2015, and one pair with a notBefore in July 2015. All four certificates were issued by WoSign’s “CA 沃通根证书” root. This is a violation of RFC 5280.”
And the list continues.
WoSign described on its official website that its relationship with StartCom as a “100 percent equity investment” in StartCom, suggesting the two companies operate independently from each other. Mozilla, on the contrary, said it found evidence that shortly after the acquisition, “StartCom issuances switched to using WoSign’s infrastructure.”